Tag Archives: NSA

The Eternal Battle over Active Directory between OT and IT

29 October 2020

On October 13th I moderated the anapur Virtual Dialog “Network Monitoring and Anomaly Detection”. During the breaks, some participants from industry talked about a really concerning issue: IT, IT-Security and GRC groups in their companies urge them to integrate their so far isolated production active directories in the corporate directory.

I have been involved in these discussion for 10 years and I never changed my answer:

Don’t do it!

This integration is dangerous. Active Directory simplifies lateral movement once an attacker created a foothold in your network. And it simplifies the distribution of malware through login scripts. Remind the Norsk Hydro attack from March 2019: Divisions with high vertical integration were more affected from LockerGoga than the Alumina production.

In their paper “Seven Strategies to Defend ICSs” from December 2016, DHS ICS-CERT, FBI and NSA provide a very clear active directory strategy:

Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks.

For details see chapter 5, “Manage Authentication”.

Hope this helps in discussions with IT, IT-Security and GRC.

In his poem Ulysses, Alfred Tennyson brings it to the point:

Tho‘ much is taken, much abides;
and though we are not now that strength
which in old days moved earth and heaven;
that which we are, we are;
one equal temper of heroic hearts,
made weak by time and fate,
but strong in will to strive, to seek, to find.
And not to yield.

Howto protect against Just-in-time malware

18 August 2015

On Sunday morning at the breakfast table I always read the latest issue of invincea’s The Cyber Intelligencer. In this week’s issue Michael Applebaum writes about just-in-time malware that is not recognized by any traditional or next generation endpoint protection tools. I fully agree with Michael, that an attacker has to hijack only one endpoint to compromise an entire company network.

But it’s not necessary to exploit unpatched vulnerabilities or zero days. Just use a built-in weakness of a Windows OS, e.g. UAC not set to “Always notify me” as default, to get privileged access and start exploring the victim’s computer and network.

But the worst is yet to come: If the attacker is not too greedy and impatient, it is very hard to detect his activities because only standard windows means are used.

Prevent, detect and contain are the keys to successful protection against such threats. In report Defensive Best Practices for Destructive Malware the NSA’s Information Assurance Directorate shows the direction. It’s worth to note that most of the technical measures described in this report are just built-in functions of operating systems. No rocket science! But the measures on the people and process level make the difference. For details see e.g. bullet point “Protect and restrict administrative privileges”.

Enjoy reading and have a good day!

OPM May Have Exposed Security Clearance Data

7 June 2015

When I read David Sanger’s report ‘Hacking Linked to China Exposes Millions of U.S. Workers’ in the New York Times about the Office of Personnel Management (OPM) attack I was shocked on both, the large number of stolen records and the obviously inadequate protection measures and processes.

‘The intrusion came before the personnel office fully put into place a series of new security procedures that restricted remote access for administrators of the network and reviewed all connections to the outside world through the Internet’.

Are basic protection measures like Two Factor Authentication for all employees for access from the internet to federal computer networks really not in place, not even for the NSA:

‘In acting too late, the personnel agency was not alone: The N.S.A. was also beginning to put in place new network precautions after its most delicate information was taken by Edward J. Snowden.’

And why does it take such a long time until an investigation starts? From a LIFARS blog we learn:

‘The possibility of a data breach was first detected back in April, by the Department of Homeland Security. An internal investigation conducted in May, confirmed that the breach had indeed occurred.’

In the New York Times article we find the reason for this delay:

‘Administration officials said they made the breach public only after confirming last month that the data had been compromised and after taking additional steps to insulate other government agencies from the intrusion.’

Again, it seems to me that basic protection measures like proper network segmentation are not in place. In addition to effective communication processes and business continuity management, which could cut the Mean Time To Identify (MTTI) a breach dramatically due to the Ponemon 2015 Cost of Data Breach Study, page 24, figure 24.

Take care!